malwarewikiaorg-20200223-history
HeartBleed (Ransomware)
This article is about the ransomware. For the virus, see Heartbleed HeartBleed '''(also known as '''H34rtBl33d '''or '''D3G1D5Crypt) is a ransomware that runs on Microsoft Windows. It is aimed at English-speaking users. Payload Transmission HeartBleed is distributed by by hacking through an insecure RDP configuration (the archive file is placed in the root directory and then opened). It may also begin to spread through email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers. Infection HeartBleed encrypts the user's data of sites and servers, and then requires a ransom of ~ 0.1337 BTC - 0.05 BTC in order to return the files. It encrypts the following extensions: .123, .3dm, .3ds, .3g2, .3gp, .602, .7z, .accdb, .aes, .ai, .arc, .asc, .asf, .asm, .asp, .avi, .backup .BAK, .bak, .bat, .bmp, .brd, .config, .css, .doc, .gif, .htm, .html, .jpeg, .jpg, .js, .key, .lay,. lay6, .ldf, .log, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .msg, .msi, .onetoc2, .pdb, .php, .phtml, .png, .pst, .rb, .rtf, .sch, .sh, .sldm, .sldx, .slk, .sql, .sqlite3, .stc .std, .sti, .stw, .svg, .swf, .sxc, .sxd, .txt, .wmv, .xml When it attempts to infect files, it distributes them via P2P using the Limewire file hosting service. It attempts to add a copy of itself to rar files using BalloonTips ( a pop-up tooltip in the notification area) , sending infection information to 3 email addresses, a conversation with the server. BalloonTips is also used. It is a system feature of tooltips in the notification area that displays pop-up bubbles with ransomware text in the Windows notification panel. The notifications produced show the following text: Error! Your file could not be opened Please Decrypt Your File Using H34rt8133d Decrypter Want Your Files Back? here|BUTTON Find out here about H34rt8133d Decrypter and how to return it here|BUTTON Cheaper than wannacry! H34rt8133d very good ransomware in the world Ransomware With Cheapest Ransom! FACT! Ransomware that has infected your computer turned out RANSOMWARE WITH THE LOWEST CHOICE. Want your file back? here|BUTTON Go Home Kidz, Zuahahaha! Pay Some Money To Recover Your Data, Zuahahahaha! If clicked on provided the link, users are then directed to suspicious page scorpionlocker.xyz. The site displays the following: Your Data Have Been Encrpyted /\ || || || || ~-----~ || / -- --- || ;' / ~- -- - --- || (/ (' /=---- ~~_ --( ' || ' / ;' /=---- \__~ ' ~ _=~ '(' ~-~~ \\ (c_\_ .i. /~-- -- -~ ( ' `\ (}| / / : \ / ~~------~ ~~\ ( \ ' ||/ \ | | /~/ ``~\ ~~\ )~.~_ >._.< _~-~ |`_ ~~-~ )\ '-~ { / ) \___/ ( \ |` ` _ ~~ ' \ -~\ -<__/ - - L~ -; \\ \ _ _/ `` ~~=\ { : }\ ,\ || _ :( \ ~~=\__ \ _/ \_ / ) } _// ( `|' `` , ~\--~=\ \ / / _/ / ' ( ' \` } ~ ~~ -~=\ _~_ / \ / \ )^ ( // :_ / ' | , _~-' '~~__-_ / - |/ \ ( \ ,_--_ _/ \_'---', -~ . \ )/ /\ / /\ ,~, \__ _} \_ "~_ , { ( _ )'} ~ - \_ ~\ (-:-) "\ ~ /'' '' )~ \~_ ~\ )-> \ :| _, " (\ _/)} | \~_ ~ /~( | :) / } <`` >;,,/ )= \~__ {{{ ' \ =( , , ; {o_o }_/ |v '~__ _ )-v| " : ," {/"\_) {_/' \~__ ~\_ \\_} ' { /~\ ,/! '_/ '~__ _-~ \_' : ' ," ~ (` /,'~___~ | / ," \ ~' '' '/, ) (-) '~____~"; ," , } /,') / \ / ,~-" '~' ( ''/ / ( ' / / '~' ~ ~ ,, /) , (/( \) ( -) /~' ( ~~ )` ~} ' \)' _/ / ~' { |) /`,--.( }' ' ( / /~' (` ~ ( c|~~| `} ) '/:\ ,' ~ )/``) )) '|), (/ | \) (` (-~(( `~`' ) ' (/ ' `~' )'`') ' ` `` If You Need Your Data Back You Need To Pay Us 0.1337 Bitcoins Hehehe Contact: torbox3uiot6wchz.onion create a account here and email us blackpanda007@torbox3uiot6wchz.onion Your Data Is Safe When You Pay Us We Will Give You Key And You Can Unencrpyt Your Data ////////////////////////////// All Hope Is Gone \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ Heart Bleed //////////////////////////////// [ Login ] \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ It deletes the shadow copies of files on all local drives, disables Windows recovery and repair functions during the boot phase, adds D3g1d5 and Dwixtkj37 users to the user group, and then adds D3g1d5 to the administrator group using the following commands: vssadmin delete shadows / for = c: / all / quiet vssadmin delete shadows / for = d: / all / quiet / C bcdedit / set {bootmgr} displaybootmenu no / C Net localgroup Administrators D3g1d5 / add / C Net user D3g1d5 Dwixtkj37 / add It then drops H34rtBl33d.txt, H34rtBl33d.html and H34rtBl33d.bmp. The text file says the following: This Is Your Personal Key: RDNHMUQ1Q1lCRVJDUkVXUENQQ2FkbWluTVRjNFFrWkNSa1l3TURBek1EWkR ***** Pay Some Money To Recover Your Data, Zuahahahaha! The html file says the following: All Your File At Your Computer Has Been Encrypted By H34rtBl33d ~ Contact Me For Decrypter Key: http://trl74246phm5t2gn.onion.to Who Am I? : ! DnThirTeen - JCOder - WongTani Removal Stupid Decrypter is able to decrypt this ransomware.Category:Assembly Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Win32 trojan Category:Trojan